diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3ff4e11..0a878830 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,16 +11,33 @@ on: - '*.md' jobs: + dependency-review: + name: Dependency Review + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Check out repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Dependency review + uses: actions/dependency-review-action@v2 + test: runs-on: ${{ matrix.os }} - + permissions: + contents: read strategy: matrix: - node-version: [14.x, 16.x, "*"] + node-version: [14, 16, '*'] os: [ubuntu-latest, windows-latest, macOS-latest] - steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Use Node.js uses: actions/setup-node@v3 @@ -50,6 +67,8 @@ jobs: coverage: needs: test runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Coveralls Finished uses: coverallsapp/github-action@master diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 00000000..f618657f --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,29 @@ +name: sast + +on: + push: + branches-ignore: + - 'dependabot/**' + pull_request: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + strategy: + fail-fast: true + matrix: + language: [ 'javascript' ] + steps: + - uses: actions/checkout@v3 + with: + persist-credentials: false + + - uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - uses: github/codeql-action/analyze@v2